Data flow segment optimized for hot flows

ABSTRACT

Embodiments are directed towards improving the performance of network traffic management devices by optimizing the management of hot connection flows. A packet traffic management device (“PTMD”) may employ a data flow segment (“DFS”) and control segment (“CS”). The CS may perform high-level control functions and per-flow policy enforcement for connection flows maintained at the DFS, while the DFS may perform statistics gathering, per-packet policy enforcement (e.g., packet address translations), or the like, on connection flows maintained at the DFS. The DFS may include high-speed flow caches and other high-speed components that may be comprised of high-performance computer memory. Making efficient use of the high speed flow cache capacity may be improved by maximizing the number of hot connection flows and minimizing the number of malicious and/or in-operative connections flows (e.g., non-genuine flows) that may have flow control data stored in the high-speed flow cache.

RELATED APPLICATIONS

This application is a Continuation Application of U.S. patentapplication Ser. No. 13/802,254 filed on Mar. 13, 2013, which is basedon previously filed U.S. Provisional Patent Application Ser. No.61/641,251 filed on May 1, 2012, the benefit of the filing dates ofwhich are hereby claimed under 35 U.S.C. §119 (e) and §120 and thecontents of which are incorporated in entirety by reference.

TECHNICAL FIELD

The present invention relates generally to packet traffic managementand, more particularly, but not exclusively to determining if networkconnection flow control data should be off-loaded to data flow segmentstored in a high-speed cache.

BACKGROUND

The expanded use of the Internet has increased communication connectionsbetween client devices and server devices. Often, a client deviceestablishes a network connection with a server device by usingwell-known protocols, such as Transmission Control Protocol/InternetProtocol (“TCP/IP”), User Datagram Protocol (“UDP”), and the like. Thisnetwork connection may be identified by one characteristic or acombination of characteristics, such as a source port, a destinationport, a source address, a destination address, a protocol, and the like.Typically, the source address, destination address, destination port,and protocol are relatively fixed for a network connection between aclient device and a server device. Thus, the source port may be utilizedto uniquely identify a connection between the client device and theserver device. Additionally, the expansion of the Internet has led toimprovements in packet traffic management. One such advancement is tosplit operations between a control segment and a data flow segment asdescribed in more detail in U.S. Pat. No. 7,343,413, filed Mar. 21,2001, and entitled “Method and System for Optimizing a Network byIndependently Scaling Control Segments and Data Flow,” which is herebyincorporated by reference in its entirety into this patent application.Thus, it is with respect to these considerations and others that theinvention has been made.

BRIEF DESCRIPTION OF THE DRAWINGS

Non-limiting and non-exhaustive embodiments of the present invention aredescribed with reference to the following drawings. In the drawings,like reference numerals refer to like parts throughout the variousfigures unless otherwise specified. For a better understanding of thepresent invention, reference will be made to the following DetailedDescription, which is to be read in association with the accompanyingdrawings, wherein:

FIG. 1 is a system diagram of an environment in which embodiments of theinvention may be implemented;

FIG. 2 shows an embodiment of a client device that may be included in asystem such as that shown in FIG. 1;

FIG. 3 shows an embodiment of a network device that may be included in asystem such as that shown in FIG. 1;

FIGS. 4A and 4B illustrate overview system diagrams generally showingembodiments of a packet traffic management device disposed betweenclient devices and server devices in accordance with the embodiments;

FIG. 5 illustrates a sequence diagram generally showing one embodimentof a sequence for terminating a connection flow at a data flow segmentand establishing a new connection flow at the data flow segment inaccordance with the embodiments;

FIG. 6 shows a flowchart showing a process for packet traffic managementin accordance with at least one of the various embodiments;

FIG. 7 shows a flowchart of a process for handling new connection flowsat a data flow segment in accordance with at least one of the variousembodiments;

FIG. 8 shows a flowchart of a process for handling eviction messages ata control segment in accordance with at least one of the variousembodiments;

FIG. 9 shows a flowchart of a process for determining if connectionflows may be candidates for off-loading to the data flow segment inaccordance with at least one of the various embodiments; and

FIGS. 10 and 11 show flowcharts of processes for identifying hotconnection flows in accordance with at least one of the variousembodiments.

DETAILED DESCRIPTION

Throughout the specification and claims, the following terms take themeanings explicitly associated herein, unless the context clearlydictates otherwise. The phrase “in one embodiment” as used herein doesnot necessarily refer to the same embodiment, though it may.Furthermore, the phrase “in another embodiment” as used herein does notnecessarily refer to a different embodiment, although it may. Thus, asdescribed below, various embodiments of the invention may be readilycombined, without departing from the scope or spirit of the invention.

In addition, as used herein, the term “or” is an inclusive “or”operator, and is equivalent to the term “and/or,” unless the contextclearly dictates otherwise. The term “based on” is not exclusive andallows for being based on additional factors not described, unless thecontext clearly dictates otherwise. In addition, throughout thespecification, the meaning of “a,” “an,” and “the” include pluralreferences. The meaning of “in” includes “in” and “on.”

As used herein, the term “SYN” refers to a packet transmitted utilizingTCP that includes a set synchronize control flag in a TCP header of thepacket.

As used herein, the term “ACK” refers to a packet transmitted utilizingTCP that includes a set acknowledgment flag in a TCP header of thepacket.

As used herein, the term “SYN ACK” refers to a packet transmittedutilizing TCP that includes a set synchronize control flag and a setacknowledgment flag in a TCP header of the packet.

As used herein, the term “FIN” refers to a packet transmitted utilizingTCP that includes a set no more data from sender flag in a TCP header ofthe packet.

As used herein, the term “FIN ACK” refers to a packet transmittedutilizing TCP that includes a set no more data from sender flag and aset acknowledgment flag in a TCP header of the packet. FIN ACK compressa FIN and ACK into one TCP packet.

As used herein, the term “tuple” refers to a set of values that identifya source and destination of a connection. In one embodiment, a 5 tuplemay include a source address, a destination address, a source port, adestination port, and a protocol identifier. In at least one of thevarious embodiments, tuples may be used to identify network flows (e.g.,connection flows).

As used herein, the terms “network flow,” “connection flow,”, “flow”refer to a network session that may be established between twoendpoints. In at least one of the various embodiments, a tuple maydescribe the flow. In at least one of the various embodiments, flowcontrol data associated with connection flows may be used to ensure thatthe network packets sent between the endpoints of a connection flow maybe routed along the same path. In at least one of the variousembodiments, the performance of connection oriented network protocolssuch as TCP/IP may impaired if network packets may be routed usingvarying paths and/or directed different endpoints.

As used herein, the term “genuine connection flow,” refers to aconnection flow that may have been determined to be associated with anoperative client-server communication session. In contrast, anon-genuine connection flow may be associated with a malicious attacksuch as a SYN flood attack. In at least one of the various embodiments,characteristics a genuine connection flows may include, TCP/IPhandshaking complete, evidence of bi-directional network packetexchange, or the like. Likewise, evidence that a connection flow may benon-genuine may include, half-open connections (incomplete handshakingand connection setup), few if any network packets exchanged, or thelike.

As used herein, the term “hot connection flow,” refers to a connectionflow that may have been determined to be a candidate for off loading toa data flow segment. Hot flow connections may have characteristics suchhigh-bandwidth utilization, quality of service priority, or the like.

As used herein, the term “high speed flow cache” refers to memory basedcache used for storing flow control data that corresponds to connectionflows. The cache may be accessible using, dedicated busses that mayprovide very fast performance based on a combination of factors that mayinclude, wide-busses, fast clock speeds, dedicated channels, specializedread and/or write buffer, hardware proximity, temperature control, orthe like. Also, the high speed flow cache may be comprised of very fastrandom access memory (RAM) components such as, static random accessmemory (SRAM), asynchronous SRAM, burst SRAM, extended data outputdynamic RAM (EDO DRAM), or the like. In most cases, the high performancecomponents comprising the high speed flow cache often are relativelyexpensive. Thus, the high speed flow cache may comprise valuable “realestate” within a traffic management device.

The following briefly describes the various embodiments to provide abasic understanding of some aspects of the invention. This briefdescription is not intended as an extensive overview. It is not intendedto identify key or critical elements, or to delineate or otherwisenarrow the scope. Its purpose is merely to present some concepts in asimplified form as a prelude to the more detailed description that ispresented later.

Briefly stated, embodiments are directed towards improving theperformance of network traffic management devices by optimizing themanagement of hot connection flows. In at least one of the variousembodiments, a packet traffic management device (“PTMD”) may employ adata flow segment (“DFS”) component and control segment (“CS”)component. In at least one of the various embodiments, the CS mayperform high-level control functions and per-flow policy enforcement forconnection flows maintained at the DFS, while the DFS may performstatistics gathering, per-packet policy enforcement (e.g., packetaddress translations), or the like, on connection flows maintained atthe DFS.

The CS may be utilized to generate flow control data for connectionflows that may be offloaded to the DFS based on connection flow requestsreceived at the packet traffic management device. In one embodiment, theCS may receive a new connection flow request, such as a SYN packet, sentby a client device. The CS may generate and cache a connection flowidentifier for the connection flow request. In at least one of thevarious embodiments, the DFS may include high-speed flow caches andother high-speed components. In at least one of the various embodiments,the high-speed flow cache may be enabled to store a defined amount offlow control data that may limit the number of connection flows that maybe offloaded to the DFS for handling. In at least one of the variousembodiments, making efficient use of the high speed flow cache capacitymay be improved by maximizing the number of hot connection flows andminimizing the number of malicious and/or in-operative connections flows(e.g., non-genuine flows) that may be have flow control data stored inthe high-speed flow cache.

In at least one of the various embodiments, if a new network connectionflow may be received it may be forwarded to a control segment (CS). Inat least one of the various embodiments, the CS may generate the flowcontrol data for the new network connection flow. In one embodiment, ifthe CS determines that the new network connection flow should beoffloaded to the DFS, the CS may send a control message that may includethe flow control data to the DFS. In at least one of the variousembodiments, the DFS may store the received flow control data in thehigh-speed flow cache that may correspond to the DFS.

In at least one of the various embodiments, the CS may receiveconnection flows that may be evicted from the DFS. In at least one ofthe various embodiments, if the evicted connection may remain validand/or active the CS may begin handling the network packets for thetransferred connection flow (e.g., the CS may take over the packet levelcontrol in addition to providing the flow level control and policyenforcement).

In at least one of the various embodiments, in conjunction with managingthe connection flows the CS may analyze flow statistics and applicationto identify hot connection flows. In at least one of the variousembodiments, if hot connection flows may be identified, the CS maydetermine if any should be handled by the DFS for improved performance.

In at least one of the various embodiments, offloading a connection flowto the DFS for handling enables the DFS to manage packet translationusing flow control data that may have generated by the CS. In at leastone of the various embodiments, connection flows offloaded to the DFSmay benefit from performance improvements that arising from thehigh-performance hardware that may comprise the DFS. In at least one ofthe various embodiments, storing the flow control data for connectionflows in the high-speed flow cache that may correspond to the DFS mayoccur if the connection flow may be offloaded to the DFS for handling.

Illustrative Operating Environment

FIG. 1 shows components of one embodiment of an environment in which theinvention may be practiced. Not all of the components may be required topractice the invention, and variations in the arrangement and type ofthe components may be made without departing from the spirit or scope ofthe invention.

As shown, system 100 of FIG. 1 includes local area networks(“LANs”)/wide area networks (“WANs”)-(network) 108, wireless network107, client devices 102-105, packet traffic management device (“PTMD”)109, and server devices 110-111. Network 108 is in communication withand enables communication between client devices 102-105, wirelessnetwork 107, and PTMD 109. Carrier network 107 further enablescommunication with wireless devices, such as client devices 103-105.PTMD 109 is in communication with network 108 and server devices110-111.

One embodiment of client devices 102-105 is described in more detailbelow in conjunction with FIG. 2. In one embodiment, at least some ofclient devices 102-105 may operate over a wired and/or a wirelessnetwork, such as networks 107 and/or 108. Generally, client devices102-105 may include virtually any computing device capable ofcommunicating over a network to send and receive information, includinginstant messages, performing various online activities, or the like. Itshould be recognized that more or less client devices may be includedwithin a system such as described herein, and embodiments are thereforenot constrained by the number or type of client devices employed.

Devices that may operate as client device 102 may include devices thattypically connect using a wired or wireless communications medium, suchas personal computers, servers, multiprocessor systems,microprocessor-based or programmable consumer electronics, network PCs,or the like. In some embodiments, client devices 102-105 may includevirtually any portable computing device capable of connecting to anothercomputing device and receiving information, such as laptop computer 103,smart phone 104, tablet computer 105, or the like. However, portablecomputer devices are not so limited and may also include other portabledevices, such as cellular telephones, display pagers, radio frequency(“RF”) devices, infrared (“IR”) devices, Personal Digital Assistants(“PDAs”), handheld computers, wearable computers, integrated devicescombining one or more of the preceding devices, and the like. As such,client devices 102-105 typically range widely in terms of capabilitiesand features. Moreover, client devices 102-105 may provide access tovarious computing applications, including a browser, or other web-basedapplications.

A web-enabled client device may include a browser application that isconfigured to receive and to send web pages, web-based messages, and thelike. The browser application may be configured to receive and displaygraphics, text, multimedia, and the like, employing virtually anyweb-based language, including a wireless application protocol messages(“WAP”), and the like. In one embodiment, the browser application isenabled to employ Handheld Device Markup Language (“HDML”), WirelessMarkup Language (“WML”), WMLScript, JavaScript, Standard GeneralizedMarkup Language (“SGML”), HyperText Markup Language (“HTML”), eXtensibleMarkup Language (“XML”), and the like, to display and send a message. Inone embodiment, a user of the client device may employ the browserapplication to perform various activities over a network (online).However, another application may also be used to perform various onlineactivities.

Client devices 102-105 also may include at least one other clientapplication that is configured to receive and/or send data betweenanother computing device. The client application may include acapability to send and/or receive content, or the like. The clientapplication may further provide information that identifies itself,including a type, capability, name, or the like. In one embodiment,client devices 102-105 may uniquely identify themselves through any of avariety of mechanisms, including a phone number, Mobile IdentificationNumber (“MIN”), an electronic serial number (“ESN”), or other mobiledevice identifier. The information may also indicate a content formatthat the mobile device is enabled to employ. Such information may beprovided in a network packet, or the like, sent between other clientdevices, PTMD 109, server devices 110-111, or other computing devices.

Client devices 102-105 may further be configured to include a clientapplication that enables an end-user to log into an end-user accountthat may be managed by another computing device, such as server devices110-111, or the like. Such end-user accounts, in one non-limitingexample, may be configured to enable the end-user to manage one or moreonline activities, including in one non-limiting example, searchactivities, social networking activities, browse various websites,communicate with other users, participate in gaming, interact withvarious applications, or the like. However, participation in onlineactivities may also be performed without logging into the end-useraccount.

Wireless carrier network 107 is configured to couple client devices103-105 and its components with network 108. Wireless carrier network107 may include any of a variety of wireless sub-networks that mayfurther overlay stand-alone ad-hoc networks, and the like, to provide aninfrastructure-oriented connection for client devices 102-105. Suchsub-networks may include mesh networks, Wireless LAN (“WLAN”) networks,cellular networks, and the like. In one embodiment, the system mayinclude more than one wireless network.

Wireless carrier network 107 may further include an autonomous system ofterminals, gateways, routers, and the like connected by wireless radiolinks, and the like. These connectors may be configured to move freelyand randomly and organize themselves arbitrarily, such that the topologyof wireless carrier network 107 may change rapidly.

Wireless carrier network 107 may further employ a plurality of accesstechnologies including 2nd (2G), 3rd (3G), 4th (4G) 5^(th) (5G)generation radio access for cellular systems, WLAN, Wireless Router(“WR”) mesh, and the like. Access technologies such as 2G, 3G, 4G, 5G,and future access networks may enable wide area coverage for mobiledevices, such as client devices 103-105 with various degrees ofmobility. In one non-limiting example, carrier network 107 may enable aradio connection through a radio network access such as Global Systemfor Mobil communication (“GSM”), General Packet Radio Services (“GPRS”),Enhanced Data GSM Environment (“EDGE”), code division multiple access(“CDMA”), time division multiple access (“TDMA”), Wideband Code DivisionMultiple Access (“WCDMA”), High Speed Downlink Packet Access (“HSDPA”),Long Term Evolution (“LTE”), and the like. In essence, carrier network107 may include virtually any wireless communication mechanism by whichinformation may travel between client devices 103-105 and anothercomputing device, network, and the like.

Network 108 is configured to couple network devices with other computingdevices, including, server devices 110-111 through PTMD 109, clientdevice 102, and client devices 103-105 through wireless carrier network107. Network 108 is enabled to employ any form of computer readablemedia for communicating information from one electronic device toanother. Also, network 108 can include the Internet in addition to LANs,WANs, direct connections, such as through a universal serial bus (“USB”)port, other forms of computer readable media, or any combinationthereof. On an interconnected set of LANs, including those based ondiffering architectures and protocols, a router acts as a link betweenLANs, enabling messages to be sent from one to another. In addition,communication links within LANs typically include twisted wire pair orcoaxial cable, while communication links between networks may utilizeanalog telephone lines, full or fractional dedicated digital linesincluding T1, T2, T3, and T4, and/or other carrier mechanisms including,for example, E-carriers, Integrated Services Digital Networks (“ISDNs”),Digital Subscriber Lines (“DSLs”), wireless links including satellitelinks, or other communications links known to those skilled in the art.Moreover, communication links may further employ any of a variety ofdigital signaling technologies, including without limit, for example,DS-0, DS-1, DS-2, DS-3, DS-4, OC-3, OC-12, OC-48, or the like.Furthermore, remote computers and other related electronic devices couldbe remotely connected to either LANs or WANs via a modem and temporarytelephone link. In one embodiment, network 108 may be configured totransport information of an Internet Protocol (“IP”). In essence,network 108 includes any communication method by which information maytravel between computing devices.

Additionally, communication media typically embodies computer readableinstructions, data structures, program modules, or other transportmechanism and includes any information delivery media. By way ofexample, communication media includes wired media such as twisted pair,coaxial cable, fiber optics, wave guides, and other wired media andwireless media such as acoustic, RF, infrared, and other wireless media.

One embodiment of PTMD 109 is described in more detail below inconjunction with FIG. 3. Briefly, however, PTMD 109 may includevirtually any network device capable of managing network traffic betweenclient devices 102-105 and server devices 110-111. Such devices include,for example, routers, proxies, firewalls, load balancers, cache devices,devices that perform network address translation, or the like, or anycombination thereof. PTMD 109 may perform the operations of routing,translating, switching packets, or the like. In one embodiment, PTMD 109may inspect incoming network packets, and may perform an addresstranslation, port translation, a packet sequence translation, and thelike, and route the network packets based, at least in part, on thepacket inspection. In some embodiments, PTMD 109 may perform loadbalancing operations to determine a server device to direct a request.Such load balancing operations may be based on network traffic, networktopology, capacity of a server, content requested, or a host of othertraffic distribution mechanisms.

PTMD 109 may include a control segment and a separate data flow segment.The control segment may include software-optimized operations thatperform high-level control functions and per-flow policy enforcement forpacket traffic management. In at least one of the various embodiments,the control segment may be configured to manage connection flowsmaintained at the data flow segment. In one embodiments, the controlsegment may provide instructions, such as, for example, a packettranslation instruction, to the data flow segment to enable the dataflow segment to route received packets to a server device, such asserver device 110-111. The data flow segment may includehardware-optimized operations that perform statistics gathering,per-packet policy enforcement (e.g., packet address translations),high-speed flow caches, or the like, on connection flows maintained atDFS between client devices, such as client devices 102-105, and serverdevices, such as server devices 110-111.

Server devices 110-111 may include virtually any network device that mayoperate as a website server. However, server devices 110-111 are notlimited to website servers, and may also operate as messaging server, aFile Transfer Protocol (FTP) server, a database server, content server,or the like. Additionally, each of server devices 110-111 may beconfigured to perform a different operation. Devices that may operate asserver devices 110-111 include various network devices, including, butnot limited to personal computers, desktop computers, multiprocessorsystems, microprocessor-based or programmable consumer electronics,network PCs, server devices, network appliances, and the like.

Although FIG. 1 illustrates server devices 110-111 as single computingdevices, the invention is not so limited. For example, one or morefunctions of each of server devices 110-111 may be distributed acrossone or more distinct network devices. Moreover, server devices 110-111are not limited to a particular configuration. Thus, in one embodiment,server devices 110-111 may contain a plurality of network devices thatoperate using a master/slave approach, where one of the plurality ofnetwork devices of server devices 110-111 operate to manage and/orotherwise coordinate operations of the other network devices. In otherembodiments, the server devices 110-111 may operate as a plurality ofnetwork devices within a cluster architecture, a peer-to-peerarchitecture, and/or even within a cloud architecture. Thus, theinvention is not to be construed as being limited to a singleenvironment, and other configurations, and architectures are alsoenvisaged.

Illustrative Client Device

FIG. 2 shows one embodiment of client device 200 that may be included ina system implementing embodiments of the invention. Client device 200may include many more or less components than those shown in FIG. 2.However, the components shown are sufficient to disclose an illustrativeembodiment for practicing the present invention. Client device 200 mayrepresent, for example, one embodiment of at least one of client devices102-105 of FIG. 1.

As shown in the figure, client device 200 includes a processor 202 incommunication with memory 226 via a bus 234. Client device 200 alsoincludes a power supply 228, one or more network interfaces 236, anaudio interface 238, a display 240, a keypad 242, and an input/outputinterface 248.

Power supply 228 provides power to client device 200. A rechargeable ornon-rechargeable battery may be used to provide power. The power mayalso be provided by an external power source, such as an AC adapter or apowered docking cradle that supplements and/or recharges a battery.

Client device 200 may optionally communicate with a base station (notshown), or directly with another computing device. Network interface 236includes circuitry for coupling client device 200 to one or morenetworks, and is constructed for use with one or more communicationprotocols and technologies including, but not limited to, global systemfor mobile communication (“GSM”), code division multiple access(“CDMA”), time division multiple access (“TDMA”), High Speed DownlinkPacket Access (“HSDPA”), Long Term Evolution (“LTE”), user datagramprotocol (“UDP”), transmission control protocol/Internet protocol(“TCP/IP”), short message service (“SMS”), general packet radio service(“GPRS”), WAP, ultra wide band (“UWB”), IEEE 802.16 WorldwideInteroperability for Microwave Access (“WiMax”), session initiatedprotocol/real-time transport protocol (“SIP/RTP”), or any of a varietyof other wireless communication protocols. Network interface 236 issometimes known as a transceiver, transceiving device, or networkinterface card (“NIC”).

Audio interface 238 is arranged to produce and receive audio signalssuch as the sound of a human voice. For example, audio interface 238 maybe coupled to a speaker and microphone (not shown) to enabletelecommunication with others and/or generate an audio acknowledgementfor some action.

Display 240 may be a liquid crystal display (“LCD”), gas plasma, lightemitting diode (“LED”), or any other type of display used with acomputing device. Display 240 may also include a touch sensitive screenarranged to receive input from an object such as a stylus or a digitfrom a human hand.

Keypad 242 may comprise any input device arranged to receive input froma user. For example, keypad 242 may include a push button numeric dial,or a keyboard. Keypad 242 may also include command buttons that areassociated with selecting and sending images.

Client device 200 also comprises input/output interface 248 forcommunicating with external devices, such as a headset, or other inputor output devices not shown in FIG. 2. Input/output interface 248 canutilize one or more communication technologies, such as USB, infrared,Bluetooth™, or the like.

Client device 200 may also include a GPS transceiver (not shown) todetermine the physical coordinates of client device 200 on the surfaceof the Earth. A GPS transceiver typically outputs a location as latitudeand longitude values. However, the GPS transceiver can also employ othergeo-positioning mechanisms, including, but not limited to,triangulation, assisted GPS (“AGPS”), Enhanced Observed Time Difference(“E-OTD”), Cell Identifier (“CI”), Service Area Identifier (“SAT”),Enhanced Timing Advance (“ETA”), Base Station Subsystem (“BSS”), or thelike, to further determine the physical location of client device 200 onthe surface of the Earth. It is understood that under differentconditions, a GPS transceiver can determine a physical location withinmillimeters for client device 200; and in other cases, the determinedphysical location may be less precise, such as within a meter orsignificantly greater distances. In one embodiment, however, mobiledevice 200 may through other components, provide other information thatmay be employed to determine a physical location of the device,including for example, a Media Access Control (“MAC”) address, IPaddress, or the like.

Memory 226 includes a Random Access Memory (“RAM”) 204, a Read-onlyMemory (“ROM”) 222, and other storage means. Mass memory 226 illustratesan example of computer readable storage media (devices) for storage ofinformation such as computer readable instructions, data structures,program modules or other data. Mass memory 226 stores a basicinput/output system (“BIOS”) 224 for controlling low-level operation ofclient device 200. The mass memory also stores an operating system 206for controlling the operation of client device 200. It will beappreciated that this component may include a general-purpose operatingsystem such as a version of UNIX, or LINUX′, or a specialized clientcommunication operating system such as Windows Mobile™, or the Symbian®operating system. The operating system may include, or interface with aJava virtual machine module that enables control of hardware componentsand/or operating system operations via Java application programs.

Mass memory 226 further includes one or more data storage 208, which canbe utilized by client device 200 to store, among other things,applications 214 and/or other data. For example, data storage 208 mayalso be employed to store information that describes variouscapabilities of client device 200. The information may then be providedto another device based on any of a variety of events, including beingsent as part of a header during a communication, sent upon request, orthe like. Data storage 208 may also be employed to store socialnetworking information including address books, buddy lists, aliases,user profile information, or the like. Further, data storage 208 mayalso store message, we page content, or any of a variety of usergenerated content. At least a portion of the information may also bestored on another component of network device 200, including, but notlimited to processor readable storage device 230, a disk drive or othercomputer readable storage medias (not shown) within client device 200.

Processor readable storage device 230 may include volatile, nonvolatile,removable, and non-removable media implemented in any method ortechnology for storage of information, such as computer- orprocessor-readable instructions, data structures, program modules, orother data. Examples of computer readable storage media include RAM,ROM, Electrically Erasable Programmable Read-only Memory (“EEPROM”),flash memory or other memory technology, Compact Disc Read-only Memory(“CD-ROM”), digital versatile disks (“DVD”) or other optical storage,magnetic cassettes, magnetic tape, magnetic disk storage or othermagnetic storage devices, or any other physical medium which can be usedto store the desired information and which can be accessed by acomputing device. Processor readable storage device 230 may also bereferred to herein as computer readable storage media.

Applications 214 may include computer executable instructions which,when executed by client device 200, transmit, receive, and/or otherwiseprocess network data. Network data may include, but is not limited to,messages (e.g., SMS, Multimedia Message Service (“MIMS”), instantmessage (“IM”), email, and/or other messages), audio, video, and enabletelecommunication with another user of another client device.Applications 214 may include, for example, browser 218. Applications 214may include other applications, which may include, but are not limitedto, calendars, search programs, email clients, IM applications, SMSapplications, voice over Internet Protocol (“VOIP”) applications,contact managers, task managers, transcoders, database programs, wordprocessing programs, security applications, spreadsheet programs, games,search programs, and so forth.

Browser 218 may include virtually any application configured to receiveand display graphics, text, multimedia, and the like, employingvirtually any web based language. In one embodiment, the browserapplication is enabled to employ HDML, WML, WMLScript, JavaScript, SGML,HTML, XML, and the like, to display and send a message. However, any ofa variety of other web-based programming languages may be employed. Inone embodiment, browser 218 may enable a user of client device 200 tocommunicate with another network device, such as PTMD 109 and/or withserver devices 110-111.

Illustrative Network Device

FIG. 3 shows one embodiment of a network device 300, according to oneembodiment of the invention. Network device 300 may include many more orless components than those shown. The components shown, however, aresufficient to disclose an illustrative embodiment for practicing theinvention. Network device 300 may be configured to operate as a server,client, peer, a host, or any other device. Network device 300 mayrepresent, for example PTMD 109 of FIG. 1, server devices 110-111 ofFIG. 1, and/or other network devices.

Network device 300 includes processor 302, processor readable storagedevice 328, network interface unit 330, an input/output interface 332,hard disk drive 334, video display adapter 336, data flow segment(“DFS”) 338 and a mass memory, all in communication with each other viabus 326. The mass memory generally includes RAM 304, ROM 322 and one ormore permanent mass storage devices, such as hard disk drive 334, tapedrive, optical drive, and/or floppy disk drive. The mass memory storesoperating system 306 for controlling the operation of network device300. Any general-purpose operating system may be employed. Basicinput/output system (“BIOS”) 324 is also provided for controlling thelow-level operation of network device 300. As illustrated in FIG. 3,network device 300 also can communicate with the Internet, or some othercommunications network, via network interface unit 330, which isconstructed for use with various communication protocols including theTCP/IP protocol. Network interface unit 330 is sometimes known as atransceiver, transceiving device, or network interface card (“NIC”).

Network device 300 also comprises input/output interface 332 forcommunicating with external devices, such as a keyboard, or other inputor output devices not shown in FIG. 3. Input/output interface 332 canutilize one or more communication technologies, such as USB, infrared,Bluetooth™, or the like.

The mass memory as described above illustrates another type of computerreadable media, namely computer readable storage media and/or processorreadable storage media, including processor readable storage device 328.Processor readable storage device 328 may include volatile, nonvolatile,removable, and non-removable media implemented in any method ortechnology for storage of information, such as computer readableinstructions, data structures, program modules, or other data. Examplesof processor readable storage media include RAM, ROM, EEPROM, flashmemory or other memory technology, CD-ROM, digital versatile disks (DVD)or other optical storage, magnetic cassettes, magnetic tape, magneticdisk storage or other magnetic storage devices, or any other media whichcan be used to store the desired information and which can be accessedby a computing device.

Data storage 308 may include a database, text, spreadsheet, folder,file, or the like, that may be configured to maintain and store useraccount identifiers, user profiles, email addresses, IM addresses,and/or other network addresses; or the like. Data stores 308 may furtherinclude program code, data, algorithms, and the like, for use by aprocessor, such as central processing unit 302 to execute and performactions. In one embodiment, at least some of data store 308 might alsobe stored on another component of network device 300, including, but notlimited to processor-readable storage device 328, hard disk drive 334,or the like.

The mass memory may also stores program code and data. One or moreapplications 314 may be loaded into mass memory and run on operatingsystem 306. Examples of application programs may include transcoders,schedulers, calendars, database programs, word processing programs,Hypertext Transfer Protocol (“HTTP”) programs, customizable userinterface programs, IPSec applications, encryption programs, securityprograms, SMS message servers, IM message servers, email servers,account managers, and so forth. Web server 316 and control segment(“CS”) 318 may also be included as application programs withinapplications 314.

Web server 316 represent any of a variety of services that areconfigured to provide content, including messages, over a network toanother computing device. Thus, web server 316 includes, for example, aweb server, a File Transfer Protocol (“FTP”) server, a database server,a content server, or the like. Web server 316 may provide the contentincluding messages over the network using any of a variety of formatsincluding, but not limited to WAP, HDML, WML, SGML, HTML, XML, CompactHTML (“cHTML”), Extensible HTML (“xHTML”), or the like. Web server 316may also be configured to enable a user of a client device, such asclient devices 102-105 of FIG. 1, to browse websites, upload user data,or the like.

Network device 300 may also include DFS 338 for maintaining connectionflows between client devices, such as client devices 102-105 of FIG. 1,and server devices, such as server devices 110-111 of FIG. 1. In oneembodiment, DFS 338 may include hardware-optimized operations for packettraffic management, such as repetitive operations associated with packettraffic management. For example, DFS 338 may perform statisticsgathering, per-packet policy enforcement (e.g., packet addresstranslations), or the like, on connection flows maintained at DFS 338.In some embodiments, DFS 338 may route, switch, forward, direct and/orotherwise handle packets based on rules for a particular connection flowsignature (e.g., a 5 tuple of a received packet). Thus, DFS 338 mayinclude capabilities and perform tasks such as that of a router, aswitch, a routing switch, or the like. In some embodiments, the rulesfor a particular connection flow signature may be based on instructionsreceived from CS 318. In one embodiment, DFS 338 may store theinstructions received from CS 318 in a local memory as a table or someother data structure. In some other embodiments, DFS 338 may also storea flow state table to indicate a state of current connection flowsmaintained at DFS 338. In at least one of the various embodiments,components of DFS 338 may comprise and/or work in combination to providehigh-speed flow caches for optimizing packet traffic management.

In some embodiments, DFS 338 may provide connection flow status updatesto CS 318. In one embodiment, a connection flow status update mayinclude a status of the connection flow, a current state of theconnection flow, other statistical information regarding the connectionflow, or the like. The connection flow update may also include anidentifier that corresponds to the connection flow. The identifier maybe generated and provided by CS 318 when a connection flow isestablished at DFS 338. In some embodiments, the connection flow updatemay be a connection flow delete update provided to CS 318 after theconnection flow is terminated at DFS 338. The connection flow statusupdate and/or the connection flow delete update may be provided to CS318 periodically, at predefined time intervals, or the like. In someembodiments, DFS 338 may stagger a time when a plurality of connectionflow status updates are provided to CS.

In some other embodiments, DFS 338 may include a plurality of data flowsegments. In one non-limiting example, a first data flow segment withinDFS 338 may forward packets received from a client device to a serverdevice, while a second data flow segment within DFS 338 may forwardand/or route packets received from a server device to a client device.In at least one of the various embodiments, DFS 338 may also beimplemented in software.

CS 318 may include a control segment that may include software-optimizedoperations to perform high-level control functions and per-flow policyenforcement for packet traffic management. CS 318 may be configured tomanage connection flows maintained at DFS 338. In one embodiments, CS318 may provide instructions, such as, for example, a packet addresstranslation instructions, to DFS 338 to enable DFS 338 to forwardreceived packets to a server device, such as server device 110-111 ofFIG. 1. In some other embodiments, CS 318 may forward and/or routepackets between a client device and a server device independent of DFS338.

In at least one of the various embodiments, CS 318 may include aplurality of control segments. In some embodiments, a plurality ofcontrol segments may access and/or manage connection flows at a singledata flow segments and/or a plurality of data flow segments. In someother embodiments, CS 318 may include an internal data flow segment. Inone such embodiment, the internal data flow segment of CS 318 may bedistributed and/or separate from CS 318. For example, in one embodiment,CS 318 may be employed in software, while the internal data flow segmentmay be employed in hardware. In some other embodiments, CS 318 mayidentify if connection flows are split between different data flowsegments and/or between a DFS 338 and CS 318. In at least oneembodiment, CS 318 may also be implemented in hardware.

In at least one of the various embodiments, CS 318 may be configured togenerate an identifier for each connection flow established at DFS 338.In some embodiments, CS 318 may utilize a sequence number of a SYN togenerate an identifier for a corresponding connection flow.

In one embodiment, the identifier may be based on a hash of the sequencenumber. In another embodiment, the identifier may be based on anexclusive OR byte operation of the sequence number. CS 318 may cache theidentifier at CS 318 and may provide the identifier to DFS 338. In someembodiments, CS 318 may cache an identifier for each connection flow itestablishes at DFS 338.

FIG. 4A illustrates a system diagram generally showing one embodiment ofa system with a packet traffic management device disposed between clientdevices and server devices. System 400A may include packet trafficmanagement device (“PTMD”) 404 disposed between client devices 402-403and server devices 410-411. Client devices 402-403 may include Client 1through Client M, which may include one or more client devices, such asclient devices 200 of FIG. 2. Server devices 410-411 may includeServer_1 through Server_N, which may include one or more server devices,such as server devices 110-111 of FIG. 1.

In one embodiment, PTMD 404 may be an embodiment of PTMD 109 of FIG. 1.PTMD 404 may include data flow segment (“DFS”) 406 in communication withcontrol segment (“CS”) 408. In at least one of the various embodiments,DFS 406 may be an embodiment of DFS 338 of FIG. 3, and CS 408 may be anembodiment of CS 318 of FIG. 3.

CS 408 may be configured to communicate with DFS 406, client devices402-403 and/or server devices 410-411 independent of DFS 406, and/or anycombination thereof. CS 408 may establish connection flows at DFS 406.In some embodiments, CS 408 may establish a connection flow at DFS 406by providing instructions including flow control data to DFS 406 thatenables DFS 406 to forward packets received at PTMD 404. In oneembodiment, CS 408 may perform a load balancing operation to select aserver device of server devices 410-411 to receive packets sent from aclient device, such as client device 402. In some other embodiments, CS408 may generate and cache a connection flow identifier to be providedto DFS 406 when the connection flow is established.

DFS 406 may be configured to facilitate communications between clientdevices 402-403 and server devices 410-411. DFS 406 may process andforward packets received at PTMD 404 based on the instructions and flowcontrol data received from CS 408. For example, in one embodiment, DFS406 utilizes the instructions and/or flow control data to forwardpackets received from client device 402 to server device 410 and toforward packets received from server device 410 to client device 402. Insome embodiments, DFS 406 may forward predetermined packets to CS 408,such as, but not limited to, new connection flow requests (e.g.,associated with a SYN). In yet other embodiments, DFS 406 may notify CS408 that a packet was received and forwarded. In one non-limiting,non-exhaustive example, DFS 406 may notify CS 408 that an ACK wasreceived from client device 402 and forwarded to server device 410. Inat least one of the various embodiments, DFS 406 may also provideconnection flow updates and a corresponding connection flow identifierto CS 408. CS 408 may compare the corresponding connection flowidentifier with the cached identifier to determine if the connectionflow update is valid.

In at least one of the various embodiments, DFS 406 may send evictmessages to CS 408 if connection flow are evicted from the DFS 406. Inat least one of the various embodiments, DFS 406 may evict a connectionflow if new flows arrive and the capacity of the DFS to handle newconnection flow may be exceeded. In at least one of the variousembodiments, evictions from DFS 406 may occur if the high speed flowcache for storing flow control data exhausts its ability to store theflow control data for new connection flows. In at least one of thevarious embodiments, evict messages sent from DFS 406 to CS 408 maycontain enough information to fully identify the connection flow (e.g.,endpoints, ports, sequent numbers, flow state, or the like).

In at least one of the various embodiments, CS 408 may receive and routepackets associated with evicted connection flows, thereby taking on someof the duties of DFS 406. In at least one of the various embodiments,some new connection flow may not be offloads to DFS 406 if CS 408determines that the connection flows may be management on the CS or ifthe CS determines that more information may be required to determine ifthe connection flow should be offloaded to DFS 406.

Although PTMD 404 illustrates DFS 406 and CS 408 as two partitionswithin a single PTMD 404, the invention is not so limited. Rather, insome embodiments, DFS 406 and CS 408 may be functional blocks in a samePTMD 404 (i.e., a same chassis/computing device). In other embodiments,DFS 406 may be implemented by one or more chassis/computing devicesseparate from one or more other chassis/computing devices that may beutilized to implement CS 408. In yet other embodiments, CS 408 may be amodule that plugs into DFS 406. Additionally, it is envisaged that thefunctionality of either DFS 406 and/or CS 408 may be separatelyimplemented in software and/or hardware.

FIG. 4B illustrates a system diagram generally showing one embodiment ofa system with a packet traffic management device disposed between clientdevices and server devices. System 400B may include packet trafficmanagement device (“PTMD”) 404 disposed between client devices 402-403and server devices 410-411. Client devices 402-403 may include Client 1through Client M, which may include one or more client devices, such asclient devices 102-105 of FIG. 1. Server devices 410-411 may includeServer_1 through Server_N, which may include one or more server devices,such as server devices 110-111 of FIG. 1.

In one embodiment, PTMD 404 may be an embodiment of PTMD 404 of FIG. 4.PTMD 404 may include data flow segments (“DFS”) 406-407 and controlsegments (“CS”) 408-409. DFS 406-407 may include a plurality of dataflow segments, each of which may be an embodiment of DFS 406 of FIG. 4A.CS 408-409 may include a plurality of control flow segments, each ofwhich may be an embodiment of CS 408 of FIG. 4.

In some embodiments, data communicated between client devices 402-403and server devices 410-411 may flow through one or more data flowsegments 406-407. In one embodiment, data from client devices 402-403may flow through a first DFS, such as DFS 406 and data from serverdevices 410-411 may flow through a second DFS, such as DFS 407.

In at least one of the various embodiments, one or more data flowsegments of DFS 406-407 may communicate with one or more controlsegments of CS 408-409. Similarly, one or more control segments of CS408-409 may communicate with one or more data flow segments of DFS406-407. In some embodiments, each control segment of CS 408-409 maycommunicate (not shown) with other control segments of CS 408-409. Inother embodiments, each data flow segment of DFS 406-407 may communicate(not shown) with other data flow segments of DFS 406-407.

Also, in at least one of the various embodiments, connection flows maybe split into flow portions based on the direction of network packettravel. In at least one of the various embodiments, the network packetscoming from the client may treated as a separate connection flow and thenetwork packets coming from a server and directed towards a client maybe treated as a separate connection flow. In at least one of the variousembodiments, this enables optimizations based on the amount of networkpacket traffic of a particular split connection flows. In at least oneof the various embodiments, this may enable the upload and downloaddirection portion of connection flows to be split across CS 408-409 andDFS 406-407 based on the characteristics of the upload and downloadportions of the connection flows. For example, in at least one of thevarious embodiments, if downloading streaming video may be a veryasymmetric operation having many network packets download to the clientand few uploaded. In at least one of the various embodiments, the uploadand download portions of connection flow in the download direction maybe optimized independent with one portion using the DFS and a high-speedflow cache and the other portion may be handled on the CS using lowerperforming (e.g., less expensive) resources.

FIG. 5 illustrates an embodiment of a sequence for establishing aconnection flow and offloading the new connection flow to the data flowsegment (DFS). Sequence 500 may show an embodiment using TCP/IPnetworking protocol but one of ordinary skill the art will appreciatethat the sequence diagram (or similar sequences) may generally apply toother networking protocols that may have other handshaking sequences aswell. Also, even though sequence 500 depicts a sequence including oneclient, one DFS, one CS, and one application server, in at least one ofthe various embodiments, one or more, data flow segments, controlsegments, clients, and servers, may be participate in handshaking and inthe connection flow offloading. Also, in at least one of the variousembodiments, the connection flows may be split into upload and downloadportions of a connection flow, with each portion representing onedirection of the connection flow.

In at least one of the various embodiments, sequence 500 begins at step502 if a client initiates a connection with a network resource that maybe managed by a PTMD, such as PTMD 109. If client may be initiating theconnection using TCP/IP, a SYN packet may be sent to the PTMD.

At step 504 a SYN packet may be received at a DFS that may be part of aPTMD. In at least one of the various embodiments, at step 506, becausethe DFS may determine that the incoming connection represents a newconnection flow, the DFS may forward the SYN packet to a CS. At step 506a CS may examine the connection flow and may determine the appropriateflow control data for the new flow and send it to the DFS. In at leastone of the various embodiments, CS may apply one or more stored rulesthat may be used to determine the flow control data for the new networkconnection flow. In at least one of the various embodiments, the storedrules may implement network traffic management services such as loadbalancing, application access control, or the like.

In at least one of the various embodiments, at step 508 the DFS mayreceive the flow control data from the CS and store it in a high speedflow cache. In at least one of the various embodiments, the flow controldata may be used by the DFS to forward the SYN packet to an appropriateserver and/or network resource as directed by the flow control data thatmay be provided by the CS.

In at least one of the various embodiments, at step 510 a server and/ornetwork resource may receive the SYN packet and may respond by sending aSYN-ACK packet to the DFS. In at least one of the various embodiments,at step 512 the DFS may again use the flow control data stored in thehigh speed flow cache to map and/or translate the SYN ACK from a serverto the appropriate client.

In at least one of the various embodiments, at step 514 the clientdevice that sent the initial SYN packet may receive the correspondingSYN ACK and subsequently may respond with an ACK packet. In at least oneof the various embodiments, at step 516 the DFS, using the stored flowcontrol data to determine the network path the to server, may forwardthe ACK packet to the server.

In at least one of the various embodiments, at step 518 the server mayreceive the ACK packet corresponding to the client device. After the ACKmay have been received, the network connection flow may be in anestablished state. In at least one of the various embodiments, duringsteps 520-524, using the established network connection flow, the servermay begin exchanging application data with client. In at least one ofthe various embodiments, at this point, for each exchange of data, theDFS may use the flow control data that may be stored in the high speedflow cache to map between the application servers and the client toroute the packets on the correct path to maintain the connection flow.

General Operation

FIG. 6 shows a flowchart showing at least one of the various embodimentsof a process for packet traffic management. In process 600, after astart block, at block 602 a network packet may be received by a DFS. Inat least one of the various embodiments, the network packets may bereceived from network 108, and/or may have been forwarded throughmultiple networks, switches, routers, other PTMDs or the like.

At decision block 604, in at least one of the various embodiments, ifthe received network packet may be associated with a new connectionflow, control may move to block 606. Otherwise, in at least one of thevarious embodiments, control may move to decision block 608.

In at least one of the various embodiments, a DFS may examine theconnection flow and compare it the flow control data that may be storedin a high-speed cache. In at least one of the various embodiments, atuple corresponding to the network packet may be examined to determineif the network packet is part of a new connection flow. If a tuplecorresponding to the incoming network packet may not be found in thehigh-speed flow cache the DFS may determine that the network packet maybe part of a new connection flow.

At block 606, in at least one of the various embodiments, the incomingnetwork packet that may be associated with a new connection flow may beforwarded to a CS for further processing. In at least one of the variousembodiments, the incoming network packet may be sent to a CS using acommand bus that may enable DFS and CS components to exchange data andmessages. Next, control may move decision block 614.

At decision block 608, in at least one of the various embodiments, ifflow control data may be available for the connection flow associatedwith network packet, control may move to block 710. Otherwise, in atleast one of the various embodiments, control may move to block 612.

At block 610, in at least one of the various embodiments, the DFS mayforward the network packet to its next destination based on the flowcontrol data and/or information associated with the network packet'scorresponding connection flow that may be stored in the high speed flowcache that corresponds to the DFS. Next, in at least one of the variousembodiments, control may move to decision block 614.

At block 612, in at least one of the various embodiments, the networkpacket having a previously seen tuple may be stored in a buffer on theDFS until flow control data may be provided by the CS.

In at least one of the various embodiments, a received network packetmay be associated with a connection flow that has been previously beenobserved. However, in at least one of the various embodiments, if theflow control data from the CS may not be available, the DFS may storethe network packets associated with the connection flow in a bufferuntil the relevant flow control data may be received from the CS.

Also, in at least one of the various embodiments, incoming networkpackets associated with unknown and/or new connection flows may beforwarded to the CS for buffering, rather than buffering on the DFS,until a flow control data determination may be made by the CS.

At decision block 614, in at least one of the various embodiments, ifthere may be more incoming network packets, control may loop back toblock 602. Otherwise, in at least one of the various embodiments,control may be returned to a calling process.

FIG. 7 shows a flowchart of process 700, in at least one of the variousembodiments, for handling new connection flows at a DFS. After a startblock, at block 702 a DFS component may receive new flow control datafrom a CS. In at least one of the various embodiments, if new flowcontrol data may be received, the DFS may store the flow data into ahigh-speed flow cache.

In at least one of the various embodiments, the new flow control datamay be sent to the DFS as part of a “new flow” control message sent fromthe CS to the DFS.

At decision block 704, in at least one of the various embodiments, ifthe DFS high-speed flow cache may be full, control may move to block706. Otherwise, in at least one of the various embodiments, control maymove block 708.

In at least one of the various embodiments, the high-speed flow cachemay be implemented as a hash such that the a hash key may be generatedfor each new connection flow based on properties of the connection flowsuch as the tuple, CS generated connection identifier, SYN cookie, orthe like. In at least one of the various embodiments, if the range(number of unique values) of the hash key may be more than the number ofslots in the high speed flow cache, the hash key may be truncated so thenumber of hash key value possibilities may be equal or similar to thenumber of slots in the high-speed flow cache. In at least one of thevarious embodiments, truncation of the hash key may increase the numberof hash key collisions. If, in at least one of the various embodiments,a new connection flow hash key may cause hash key collision, theconnection flow currently in the cache may get evicted (e.g., its flowcontrol data is removed from the high speed cache and the responsibilityfor managing the flow may be transferred to the CS) to make room for thenew connection flow.

At block 706, in at least one of the various embodiments, to make roomfor the new flow control data received from the CS, flow control datafor a different, previously cached connection flow may be removed (e.g.,evicted) from the DFS high-speed flow cache. In at least one of thevarious embodiments, the DFS may send the CS a control messageindicating that a connection flow may have been evicted from the DFSrequiring the associated flow control data to be removed from the DFShigh-speed flow cache. In at least one of the various embodiments, theeviction message may include information, such as, number of packetssent or received over this network flow, age of the network flow, tupleinformation, or the like. In at least one of the various embodiments,the control message sent to the CS may contain enough information toenable the CS to identify the network flow that may be evicted from theDFS.

At block 708, in at least one of the various embodiments, the flowcontrol data associated with the new connection flow may be stored inthe DFS high-speed flow cache. In at least one of the variousembodiments, flow control data may be stored in one or more componentsof the DFS that may operate singly or in combination as a high-speedflow cache.

At block 710, in at least one of the various embodiments, the DFS maybegin processing received network packets associated with knownconnection flows using the flow control data that may be associated withthe connection flow and stored in the high-speed flow cache.

FIG. 8 shows a flowchart of process 800, in at least one of the variousembodiments, for handling eviction (EVICT) messages at a CS. After astart block, at block 802, the CS may receive an EVICT message from aDFS.

At decision block 804, in at least one of the various embodiments, ifthe eviction message corresponds to a closed and/or terminatedconnection flow control may move to block 806. Otherwise, in at leastone of the various embodiments, control may move to block 808.

At block 806, in at least one of the various embodiments, the closedand/or terminated flow and associated flow control data may bediscarded.

At block 808, in at least one of the various embodiments, theresponsibility for managing the evicted connection flow may betransferred to the CS. In at least one of the various embodiments,network packets received over the transferred connection flow may behandled by the CS.

In at least one of the various embodiments, the CS may store the flowcontrol data for the evicted connection flow in a local flow cache. Inat least one of the various embodiments, the flow cache in the CS may bearranged to include at least the same information that may be storedregarding connection flows using the high speed flow cache on the DFS.

At decision block 810, in at least one of the various embodiments, ifthere may be more eviction messages to process, control may loop back toblock 802. Otherwise, in at least one of the various embodiments,control may be returned to a calling process.

In at least one of the various embodiments, depending on thecircumstances, a connection flow may be handled on one or more DFSs, onone or more CSs, or partially on one or more CSs and partially on one ormore DFSs. In at least one of the various embodiments, if a connectionflow may be being handled by the CS it may not receive a new flownetwork message from the DFS. Likewise, if a DFS may be handling aconnection flow it may not send a new flow network message to the CScomponent if the DFS can associate the incoming network traffic with aknown connection flow. However, in at least one of the variousembodiments, the CS may analyze each connection flow to determine theconnection flows may be evicted from the DFS.

FIG. 9 shows a flowchart for process 900 that in at least one of thevarious embodiments determines if connection flows may be candidates foroff-loading to the DFS for handling. After a start block, at block 902,in at least one of the various embodiments, the CS may receive a networkpacket associated with a connection flow that may be managed by the CS.

In at least one of the various embodiments, network packets received bythe CS may be associated connection flows that may have their packetlevel processing and management processing handled on the CS rather theDFS. In at least one of the various embodiments, as the CS handles thereceived packets at least in accordance with the stored flow controldata it may perform additional action to identify hot connection flows.

At block 904, in at least one of the various embodiments, the CS mayreceive a flow status update (FSU) from a DFS. In at least one of thevarious embodiments, the FSU may be received asynchronously with respectto the network packets that may be received by the CS. In at least oneof the various embodiments, if a FSU may be not be available control maymove to block 906.

At block 906, in at least one of the various embodiments, the CS mayupdate the statistics being maintained for the connection flows. In atleast one of the various embodiments, statistics may be tracked for theconnection flows being managed by the CS directly as well as theconnection flows that may be managed by the DFS (e.g., off-loadedconnection flows).

In at least one of the various embodiments, the updating of connectionflow metrics may use a combination of information from one or more FSUsand metrics that may be collected on the CS, including, bit-rate, datasent over a time interval, data received over a time interval, or thelike. In at least one of the various embodiments, the connection flowmetrics collected may be based, low level network information derivedfrom L1-L4 as well as higher level network information derived fromL5-L7 (as per the Open Systems Interconnection (OSI) model).

At block 908, in at least one of the various embodiments, the CS mayanalyze the collected connection flow statistics and may apply relevantrules to identify hot connection flows. (See, FIGS. 10 and 11.) In atleast one of the various embodiments, the CS may employ at least oneconnection flow metric to determine each hot connection flow out of theplurality of managed connection flows

In at least one of the various embodiments, rules may be defined thatdeclare that one or more specific sources, endpoints, data types, or thelike may indicated to be hot connection flows. Or, in at least one ofthe various embodiments, rules may be defined to adjust the priority ofcertain connection flows based on flow patterns, sources, endpoints,data types, or like.

In at least one of the various embodiments, generally the same type offlow control policies rulemaking may be extended to influence theidentification and determination of how connection flows may bedesignated as hot connection flows.

At decision block 910, if connection flows may be identified for movingfrom the CS to the DFS and/or from the DFS to the CS for handling,control may move block 912. Otherwise, in at least one of the variousembodiments, control may move to decision block 914.

In at least one of the various embodiments, the CS may employ at leastone connection flow metric to determine each hot connection flow in theplurality of managed connection flows.

At block 912, in at least one of the various embodiments, if connectionflows may be identified for moving, the CS may generate the relevantcommands and/or messages to and send to the appropriate CS and/or DFSfor handling. In at least one of the various embodiments, someconnection flows may be moved from a DFS to the CS for handling. In atleast one of the various embodiments, the DFS may be employed to handleeach determined hot connection flow.

Also, in at least one of the various embodiments, some of the connectionflows that may have been identified as hot connection flows may be movedand/or off-loaded to a DFS for handling to benefit from at least higherperformance/processing speeds the may be associated with a DFS. Next, inat least one of the various embodiments, control may move to decisionblock 914.

At decision block 914, in at least one of the various embodiments, ifthere may be more network packets available control may loop back toblock 902. Otherwise, in at least one of the various embodiments,control may be returned to a calling process.

FIGS. 10 and 11 describe various embodiments for identifying if aconnection flow may be a hot connection flow. One of ordinary skill inthe art will appreciate that the techniques, parameters, and thresholdsused to identify “hot connection flows” may vary depending on theapplications being managed by a PTMD and the goals and priorities of theoperators and users of the PTMD at a particular time. In at least one ofthe various embodiments, generally, the criteria for identifying a hotconnection flow may be defined based on the application and user goalsand if connection flow properties meet the criteria, a connection flowmay be deemed a hot connection flow.

In at least one of the various embodiments, as part of determining if aconnection flow may be a candidate for offloading to the DFS forhandling (e.g., hot connection flow), the content of received networkpackets may be examined. In at least one of the various embodiments, thenetwork packets may be examined to identify data patterns and meta-datathat may indicate that the connection flow may be a hot connection flowthat may be a good candidate for offloading to the DFS component.

In at least one of the various embodiments, if examining the networkpackets, the CS may identify application level protocol data, messages,or meta-data for determining if the associated connection flow may be ahot connection flow. For example, if a CS may identify that a connectionflow may be using HTTP, the CS may examine HTTP headers such as,Content-Type, Content-Length, Cache-Control, or the like, as part ofdetermining if a connection flow may be a hot connection flow.

In at least one of the various embodiments, if a network packet may bedetermined to be a first packet of a HTTP response, a content lengthvalue provided by the server sending the HTTP response may be available.In at least one of the various embodiments, the HTTP content lengthvalue may indicate the number of network packets that may be likely tobe used to transmit the complete HTTP response from the server. Forexample, in at least one of the various embodiments, if the contentlength value may indicate that the response may use a single networkpacket, the associated connection flow may not be a candidate foroffloading to the DFS because additional packets may not be expected forthis response. On the other hand, in at least one of the variousembodiments, if the content length value indicates that more networkpackets may be on the way for the same response, the connection flow maybe determined to be a candidate for offloading to the DFS component. Inat least one of the various embodiments, the content length value maycorrelate to the likelihood of offloading a connection flow to a DFS(e.g., an increase in the content length value leads to an increase inthe chance of offloading the connection flow to the DFS).

In at least one of the various embodiments, in some cases, the operatingcharacteristics of a connection flow may have significant variance. Forexample, in at least one of the various embodiments, the bit-rate for aconnection may be prone to spikes if the content/communication may beuneven. Thus, in at least one of the various embodiments, a connectionflow once determined to be a good offload candidate (leading to likelyoffloading to the DFS) may soon be determined to be a poor offloadcandidate (leading to likely removal from the DFS) depending on theimmediate condition and/or characteristics of the underlyingcommunication session.

In at least one of the various embodiments, a connection flow mayrepeatedly cycled back and forth from being handled on the DFS to beinghandled on CS, or back again. In at least one of the variousembodiments, the cycling may occur based on at least the variance of theoperating characteristics of the connection flow. In at least one of thevarious embodiments, this at least enables the performance of theconnection flow and the usage of the DFS to be continually optimized totake advantage of the variance in the connection flow operation.

For example, in at least one of the various embodiments, as the networktraffic over the connection flow slows, the connection flow may be movedto the CS for handling. Likewise, in at least one of the variousembodiments, as the network traffic over the connection flow increasesthe connection flow may be moved to the DFS for handling.

In at least one of the various embodiments, the cycling of theconnection flow between the CS and the DFS components may occur one ormore times during a communication session. Also, in at least one of thevarious embodiments, the cycling operations performed by the CS and theDFS components may be seamless and unseen/opaque to both ends of thecommunication session.

FIG. 10 shows a flowchart for at least one of the various embodiments ofprocess 1000 for identifying hot connection flows. After a start block,at decision block 1002, in at least one of the various embodiments, ifthe number of connection flows being handled on the PTMD may less thanthe capacity of the DFS control may be returned to the calling process.Otherwise, in at least one of the various embodiments, control may moveto block 1004. In at least one of the various embodiments, if the highspeed flow cache on the DFS has unused capacity both hot connectionflows and “normal” connection flows may be processed on the DFS.

At block 1004, in at least one of the various embodiments, connectionflows may be sorted in rank order based on the amount of data trafficpassed through, exchanged, or communicated through the connection flowin a given time interval.

In at least one of the various embodiments, well known data structuresand sorting algorithms may be employed to generate a tabular datastructure wherein the connection flows may be logically order from basedon amount of the data traffic passing through the connection flow over atime interval.

At block 1006, in at least one of the various embodiments, hot flowcandidates may be determined and identified based on the top N flowsbased on the rank order.

In at least one of the various embodiments, the rules associated withdetermining/defining hot connection flows may include parameters such as“N” (e.g., how many of the top connection flows may be designated as hotconnection flows). In at least one of the various embodiments, “N” maybe based on a formula that may include additional parameters includinghaving different values based on the type of connection flow.

Next, control may be returned to a calling process.

FIG. 11 shows a flowchart for at least one of the various embodiments ofprocess 1100 for identifying hot connection flows. After a start block,at decision block 1102, in at least one of the various embodiments, ifthe number of connection flows being handled on the PTMD may be lessthan the capacity of the DFS, control may be returned to the callingprocess. Otherwise, in at least one of the various embodiments, controlmay move to block 1104. In at least one of the various embodiments, ifthe high speed flow cache on the DFS has unused capacity both hotconnection flows and “normal” connection flows may be processed on theDFS.

At block 1104, in at least one of the various embodiments, the medianbit-rate of connection flows being handled on the CS may be determinedfor use in predicting a maximum number of connection flows that may beprocessed by the CS. For example, in at least one of the variousembodiments, if the median bit-rate of connection flows currently beinghandled on the CS may be 1 million bits per second and the totalbandwidth of the CS for handling connection flows may be 2000 millionbits per second, the maximum number of connection flows that may beprocessed may be estimated as 2000 connection flows (2000 millionbits/sec/1 million bits/sec).

At block 1106, in at least one of the various embodiments, hotconnection flow candidates may be identified based on the top N-tile ofconnection flows based on the maximum number of flows the CS may beexpected to handle. For example, in at least one of the variousembodiments, if a CS may be expected to handle 2000 connection flows,the top 25% of connection flows based on bit-rate (for a count of 500flows) may identified as hot connection flows. Next, in at least one ofthe various embodiments, control may be returned to a calling process.

It will be understood that figures, and combinations of actions in theflowchart-like illustrations, can be implemented by computer programinstructions. These program instructions may be provided to a processorto produce a machine, such that the instructions executing on theprocessor create a means for implementing the actions specified in theflowchart blocks. The computer program instructions may be executed by aprocessor to cause a series of operational actions to be performed bythe processor to produce a computer implemented process for implementingthe actions specified in the flowchart block or blocks. These programinstructions may be stored on some type of machine readable storagemedia, such as processor readable non-transitive storage media, or thelike.

What is claimed is:
 1. A method for managing communication over anetwork with a traffic management device (TMD) that includes one or moreprocessors, wherein execution of logic by the one or more processorsperforms actions, comprising: employing one or more control segment (CS)components to perform actions, including: managing a plurality ofconnection flows; generating one or more connection flow metrics basedon one or more received network packets for one or more of the managedconnection flows; and employing the one or more connection flow metricsto determine each hot connection flow in the managed connection flows;and employing one or more data flow segment (DFS) components to performactions, including maintaining packet level flow handling for one ormore of the plurality of connection flows.